[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Rebuilding packages on *all* architectures



During the peripheral beer-drinking of the SUCON '04, a colleage of
mine raised the concern that Debian stable includes binary code
compiled on untrusted machines. I would like to herewith propose to
change that for the future.

An upload to Debian consists of a binary and source package. The
binary is included primarily to ensure that the uploader verified
the build. However, it is also used to take load of the
autobuilders. Thus, for every upload, only 10 of the 11
architectures need to be built; the binary for the uploader's
architecture is channeled to the archive without modification.

This opens the possibility that the binary stems from a different
source than the source package provides. Thus, a trojan could make
it to the archive without being detected, and even though only one
architecture would then be affected, it's a grave security problem.
Even if the builder did not knowingly upload a trojan, his/her build
environment could be contaminated.

I think that the Debian autobuilders should compile the DEB files
for *all* architectures. The binary upload should still be required
for the aforementioned reasons, but it should not make it to the
archive. Since I assume that most binaries accompanying a source
upload are i386, this would possibly require us to stock up on the
i386 autobuilder(s), which is the least of a problem.

I would say this requires little changes and causes a great increase
in the security and trustworthiness of the Debian archive. Or, put
differently, if companies find out that the binaries they install
were compiled on home-user PCs without special precautions, Debian
won't exactly gain popularity.

Comments welcome.

-- 
Please do not CC me when replying to lists; I read them!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature


Reply to: